Client Privacy Policy
Last updated: 22 June 2026
At FOUND Health we take the privacy and security of your personal information extremely seriously. Because the information we hold about you includes sensitive health data, we apply the highest standards of care to everything we collect, store, process and share.
This Privacy Policy explains who we are, what personal data we collect about you, why we collect it, how we use and share it, and what rights you have in relation to it. It applies to all individuals who engage with our services, whether through the Initial Discussion, a Membership, an Explore Product engagement, or any other interaction with FOUND Health.
This policy should be read alongside our Terms and Conditions, which set out the consents you give us when you accept them. By accepting our Terms and Conditions, you give your explicit consent to the processing of your health data as described in this policy and in those Terms.
Please read this policy carefully. If you have any questions, we are always happy to speak with you directly.
1. IMPORTANT INFORMATION: WHO WE ARE
1.1 Data Roles and Responsibilities. Depending on the context in which your data is processed, different parties may act as independent data controllers or processors:
(a) FOUND Health Limited acts as an independent data controller in respect of all personal data processed to provide the Services, including CareMap data, coordination activities and Service Tool operation. This means we determine the purposes and means of processing your information. We are registered in England and Wales with company number 17040332.
(b) Programme Providers may act either:
(i) as data processors on behalf of FOUND Health where they provide input into the CareMap under our direction; or
(ii) as independent data controllers where they deliver services directly to you.
(c) Navigation Providers (including GPs and specialists) act as independent data controllers in respect of any clinical services they provide to you.
(d) Service Tool providers act as data processors on behalf of FOUND Health.
Each controller is responsible for its own compliance with applicable data protection laws.
1.2 Contact details. For all data protection matters, including to exercise your rights or raise a concern, please contact us at:
Email: hello@foundhealth.co.uk
Post: Flat 1 74A Lower Richmond Road, London, England, SW151LL
1.3 ICO registration. We are registered with the Information Commissioner's Office (ICO) as a data controller. Our registration number is ZC159138. You have the right to make a complaint to the ICO at any time (see Section 10 for details).
1.4 Changes to this policy. We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our Service Tools. The current version will always be available at www.foundhealth.co.uk. We encourage you to review it periodically.
1.5 Third-party links. Our Service Tools may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and encourage you to read their privacy policies before providing any personal data to them.
1.6 Data Protection Officer. FOUND Health has considered whether appointment of a Data Protection Officer (DPO) is required under UK General Data Protection Regulation (UK GDPR) Article 37. While FOUND Health processes special category health data, it does not do so on a large scale as its core activity, and on assessment does not currently meet the threshold for mandatory DPO appointment. FOUND Health has nonetheless designated a named individual within its leadership team as responsible for data protection compliance and oversight. That individual can be contacted at the data protection email address set out in Clause 1.2. This position will be kept under review as the volume and nature of our data processing activities develop.
2. THE PERSONAL DATA WE COLLECT
2.1 We collect and process different categories of personal data about you depending on how you engage with us. These are set out below.
“Identity data” your full name, date of birth, gender, and any other information you provide to identify yourself to us.
“Contact data” your postal address, email address and telephone number(s), including those of any emergency contact or next of kin you provide.
“Health and medical data” information about your physical and mental health, including your medical history, current diagnoses and conditions, medications, diagnostic test results, imaging, clinical correspondence from your existing healthcare providers, and any health information you share with us voluntarily during your Initial Discussion or Membership. This is special category data and is afforded the highest level of protection under data protection law.
“CareMap data” the personalised navigation document prepared by your FOUND Health team, including observations, priorities and next steps developed during your Initial Discussion and updated throughout your Membership.
"Explore data" scientific research, literature review outputs and associated notes generated by FOUND Health in the course of delivering your Explore Product, together with the Health and medical data used to scope and conduct that research.
“Wearables and device data” health metrics and activity data generated by wearable devices or health tracking applications that you choose to connect to our Service Tools.
“Financial data” payment card details and billing information necessary to process fees. Note that full card details are processed and held by our third-party payment processor, not by FOUND Health directly.
“Communications data” records of correspondence and communications between you and your FOUND Health team, including emails, messages and notes from consultations.
“Technical data” information generated by your use of our Service Tools, including login activity, access logs and preferences, used to ensure the security and proper functioning of the platform.
2.2 We do not collect or process genetic or biometric data. We do not operate CCTV or any on-site surveillance. We do not collect data relating to racial or ethnic origin, religion, political opinions, or sexual orientation unless you choose to share such information with us in the context of your care, in which case it is treated as special category health data and protected accordingly.
2.3 You are not obliged to provide us with any particular information. However, the comprehensiveness and quality of your CareMap and the Services we are able to deliver will depend on the information available to us.
3. HOW WE COLLECT YOUR PERSONAL DATA
3.1 We collect personal data from the following sources:
(a) Directly from you – through your acceptance of our Terms and Conditions, your Initial Discussion, communications with your FOUND Health team, and information you input into or connect to our Service Tools.
(b) From your existing healthcare providers – medical records, clinical correspondence, diagnostic results and specialist reports obtained from your General Practitioner “GP”, consultants and other treating clinicians, with your prior consent.
(c) From Programme Providers – assessments, observations and recommendations from the specialist practitioners we engage to contribute to your CareMap and, where applicable, to deliver programmes to you.
(d) From Navigation Providers – clinical correspondence, results and updates from specialists and other providers we coordinate with on your behalf, with your prior consent.
(e) From your Wearables – health and activity data from any device or application you choose to connect to our Service Tools.
4. PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA
4.1 We will only use your personal data when the law allows us to. The table below sets out the purposes for which we use your data. Where we rely on consent, you have the right to withdraw it at any time (see Section 8).
Delivering the Initial Discussion and preparing your CareMap. We process your health and medical data to conduct your Initial Discussion, consult Programme Providers where relevant, arrange clinical review of your CareMap, and present your CareMap to you.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a))
Delivering your Membership services. We process your health data, CareMap data, wearables data and communications to provide ongoing navigation and governance, update your CareMap, coordinate with your existing healthcare team and Navigation Providers, and give you access to your Service Tools.
Lawful basis: processing necessary for the performance of your contract with us (UK GDPR Art. 6(1)(b) and Art. 9(2)(b)) as the primary basis. Where applicable law permits, we may additionally rely on Art. 9(2)(a) as a secondary basis for processing health data necessary to deliver the navigation and governance services set out in your Membership Proposal and other specific circumstances including where required for particular categories of data sharing.
Delivering the Explore Product. Where you have purchased an Explore Product, we process your Health and medical data and CareMap data to scope, conduct and deliver the scientific research engagement described in your Explore Proposal, and to prepare your Explore Report.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a)); and performance of contract (UK GDPR Art. 6(1)(b)) for non-health data processed to fulfil the Explore engagement.
Consulting Programme Providers. We share relevant aspects of your health information with Programme Providers engaged by us to contribute specialist input to your CareMap and, where applicable, to deliver programmes to you directly.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a)).
Coordinating with Navigation Providers. We share Health Data with Navigation Providers to the extent necessary to coordinate your care, obtain clinical correspondence and facilitate specialist input, always with your prior consent.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a)).
Communicating with your existing healthcare team. We contact your GPs, consultants and other treating clinicians on your behalf, request records and correspondence, and facilitate communication between them, to build and maintain your complete health picture.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a)).
Managing payments and billing. We use your financial and identity data to process fees for the Initial Discussion, Membership and Programme Provider or Navigation Provider services collected through FOUND Health, and to issue invoices and receipts.
Lawful basis: performance of contract (UK GDPR Art. 6(1)(b)); and legal obligation (UK GDPR Art. 6(1)(c)) for statutory financial record-keeping.
Communicating with you. We use your contact data to send you updates about your care, respond to your queries, notify you of changes to your Membership or these policies, and provide service-related communications.
Lawful basis: performance of contract (UK GDPR Art. 6(1)(b)); and legitimate interests (UK GDPR Art. 6(1)(f)) where communication relates to service administration rather than contractual obligations.
Operating and improving our Service Tools. We use technical and communications data to maintain the security and functionality of our Service Tools, diagnose issues and improve the platform for members.
Lawful basis: legitimate interests (UK GDPR Art. 6(1)(f)): ensuring the platform operates securely and reliably for all Members, which does not override your rights given the limited and technical nature of the data processed.
Service improvement and quality assurance. We may use aggregated and fully anonymised data (from which you cannot be identified) to analyse trends, improve our service offering and develop our CareMap methodology. We will never use identifiable data for this purpose.
Lawful basis: legitimate interests (UK GDPR Art. 6(1)(f)). Because this data is fully anonymised and cannot be used to identify you, UK GDPR does not apply to it; this entry is included for transparency only.
Legal and regulatory compliance. We process personal data as necessary to comply with our legal and regulatory obligations, including responding to lawful requests from regulators, courts or law enforcement, and maintaining records required by law.
Lawful basis: legal obligation (UK GDPR Art. 6(1)(c) and Art. 9(2)(f)). Where compliance requires processing of health data, we rely additionally on Art. 9(2)(f) (processing necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity).
Fraud prevention and security. We use identity, contact and technical data to detect and prevent fraudulent activity and to protect the security of our systems and the data we hold.
Lawful basis: legitimate interests (UK GDPR Art. 6(1)(f)): protecting FOUND Health and its Members from fraud and unauthorised access. This interest is not overridden by your rights given that the processing is limited, proportionate and conducted for your benefit as well as ours.
Facilitating GP introductions where a Member has no existing GP. Where you request or require access to a GP and do not have one, FOUND Health may, with your agreement, present you with options from its partner network, including where relevant the individual who also serves as FOUND Health's Clinical Advisor in their separate capacity as a GP. Any introduction is made on the same basis as any Navigation Provider option: FOUND Health presents options, you make the choice, and any clinical relationship is formed directly between you and the GP under a separate agreement. FOUND Health does not make a clinical recommendation as to which GP you should engage.
Lawful basis: explicit consent (UK GDPR Art. 6(1)(a) and Art. 9(2)(a)).
Responding to medical emergencies involving you. In exceptional circumstances where you are incapacitated and unable to give consent, and where sharing your Health and medical data is necessary to protect your vital interests, we may share relevant information with emergency services, treating clinicians or other appropriate parties without prior consent.
Lawful basis: vital interests (UK GDPR Art. 6(1)(d) and Art. 9(2)(c)). This basis is relied upon only where you are physically or legally incapable of giving consent and the processing is necessary to protect your life or that of another person. It does not affect our ordinary consent-based processing in any other circumstances.
4.2 FOUND Health operates secure third-party digital platform that store, organises and presents your health information over time, including your CareMap, clinical correspondence and coordination records.
This platform functions as a personal health record and coordination tool designed to support the organisation of your healthcare journey. It does not replace the medical records held by your treating clinicians.
4.3 FOUND Health is a human-led service. Where artificial intelligence (AI) tools are used to support the preparation of your CareMap or the delivery of any other aspect of the Services, all AI-assisted outputs are reviewed and verified by a qualified member of your FOUND Health team before being used or shared with you. We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you, and no AI output forms part of your Services without prior human review and approval.
4.4 We will not use your personal data for direct marketing without your separate, explicit consent. If you do consent to receive marketing communications, you may withdraw that consent at any time.
5. PURPOSES FOR WHICH WE SHARE YOUR PERSONAL DATA
5.1 We share your personal data only where necessary, with trusted parties, and only for the purposes described in this policy.
5.2 Any personal data shared is done only:
(a) on your instruction; or
(b) where necessary to deliver the Services and within the scope of your agreed care coordination.
We do not grant third-party providers unrestricted access to your data. Data is shared on a case-by-case basis, limited to what is necessary for the relevant purpose. FOUND Health does not use your personal data for the independent purposes of third-party healthcare providers.
5.2 Programme Providers. We share relevant health information with the specialist practitioners we engage to contribute to your CareMap and, where applicable, to deliver programmes to you directly. Programme Providers are bound by confidentiality obligations and data processing agreements with FOUND Health and act under our direction..
5.3 Navigation Providers. Where you have consented, we share the minimum necessary Health and medical data with Navigation Providers to facilitate coordination of your care. We share data with a Navigation Provider only after you have confirmed your choice of that provider in writing; we do not share your data with specialists at the options-presentation stage. Navigation Providers are independent of FOUND Health and process data under their own privacy policies and professional obligations. Where FOUND Health facilitates an introduction to a GP acting as a Navigation Provider, including where that GP is the same individual who serves as FOUND Health's Clinical Advisor, that GP is presented as one option among others and no Health and medical data is shared until you have confirmed your choice in writing. Once a clinical relationship is established directly between you and that GP, they act as an independent data controller for all data processed within that clinical relationship. Their processing of your data in that capacity is governed by their own privacy policy and professional obligations, not by this policy.
5.4 Your existing healthcare team. With your consent, we share information with your GPs, consultants and other treating clinicians as necessary to coordinate your care and obtain records and correspondence on your behalf.
5.5 Service Tool suppliers. We use third-party software applications (the Service Tools) to deliver our services, store Health and medical data and manage clinical records. These suppliers act as data processors on our behalf. FOUND Health has data processing agreements in place with each supplier, requiring them to process your data only on our instructions and solely for the purpose of providing services to FOUND Health.
5.6 Payment processors. Payment transactions are processed by a third-party payment processor. Your full payment card details are handled by the payment processor directly and are not stored by FOUND Health. The payment processor is bound by applicable payment security standards.
5.7 Professional advisers. We may share personal data with our lawyers, accountants, auditors and insurers where necessary for the running of our business. These parties are bound by professional confidentiality obligations.
5.8 Legal and regulatory authorities. We will disclose personal data to regulators, courts, law enforcement agencies or other authorities where we are required to do so by law, or where disclosure is necessary to protect the vital interests of you or another person.
5.9 Business transfers. In the event of a merger, acquisition or sale of all or part of our business, your personal data may be transferred to the relevant third party. We will notify you before your data is transferred and becomes subject to a different privacy policy.
6. DATA SECURITY
6.1 We have put in place appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration or disclosure. These include:
(a) encryption of Health and medical data both in transit and at rest;
(b) strict access controls ensuring that only those with a legitimate need to access your data can do so;
(c) regular review and testing of our security systems and processes;
(d) confidentiality and data processing agreements with all third parties who handle your data on our behalf; and
(e) staff training on data protection obligations and information security.
6.2 We have procedures in place to deal with any suspected personal data breach. Where we are legally required to do so, we will notify you and the relevant supervisory authority of a breach without undue delay.
6.3 While we take every reasonable step to protect your data, no method of electronic transmission or storage is completely secure. You also play an important role in protecting your own data: please keep your Service Tools login credentials secure and notify us immediately if you suspect any unauthorised access to your account.
7. DATA RETENTION
7.1 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:
(a) Health and medical records: 8 years from the date of your last engagement with FOUND Health (including following termination of your Membership). We align our retention approach with recognised healthcare with record retention standards, given the nature of the data processed, while taking into account that FOUND Health is not a clinical provider. Where records relate to mental health, a retention period of 20 years applies from the date of last contact.
(b) Financial records: 7 years from the relevant transaction date, to comply with HMRC requirements.
(c) Communications and correspondence: where communications form part of your medical record or relate to a care decision, treatment option, or clinical matter, they are retained for 8 years from the date of your last engagement, in line with standard medical records retention guidance. General administrative correspondence not forming part of your medical record is retained for 3 years from the date of your last engagement. Given the nature of FOUND Health's service, we treat communications relating to your care, your CareMap, your Explore Report, and coordination with your healthcare team as forming part of your medical record for retention purposes.
(d) Explore Reports and associated research data: 8 years from the date of delivery of your Explore Report, in line with standard medical records retention guidance applicable to private healthcare providers in England, given that the research is conducted on the basis of your health information.
(e) Data from the Initial Discussion where you do not proceed to Membership: your Health Data gathered during Phase 1 will be made available to you on request for 90 days from the date your CareMap was presented, after which it will be securely deleted or anonymised, unless retention is required by law.
(f) Anonymised and aggregated data: where data has been fully anonymised such that you cannot be identified, we may retain it indefinitely for service improvement purposes.
7.2 At the end of the applicable retention period, your personal data will be securely deleted or destroyed in accordance with our data deletion policy. Where deletion is not immediately possible (for example, because data is held in backup archives), we will isolate it from further processing until deletion is possible.
7.3 Retention periods may be extended where necessary to:
(a) comply with legal obligations;
(b) resolve disputes; or
(c) maintain continuity of care information where reasonably required.
8. YOUR RIGHTS
8.1 Under UK data protection law, you have the following rights in relation to your personal data. There is no charge for exercising these rights. We will respond to any request within one month, though we may extend this period by a further two months for complex or numerous requests, in which case we will notify you.
8.2 Right of access. You have the right to request a copy of the personal data we hold about you (a Data Subject Access Request). This includes your Health and medical data, CareMap, clinical correspondence and any other records we hold.
8.3 Right to rectification. You have the right to request that we correct any personal data we hold about you that is inaccurate or incomplete. Given the importance of accuracy in your health record, we encourage you to notify us of any errors promptly.
8.4 Right to erasure. You have the right to request that we delete your personal data in certain circumstances, such as where the data is no longer necessary for the purpose for which it was collected. Please note that this right is not absolute: we may be required to retain some data by law (for example, medical records retention obligations), and we will explain the position to you if we are unable to comply in full.
8.5 Right to restrict processing. You have the right to request that we restrict the processing of your personal data in certain circumstances, for example whilst you are contesting the accuracy of the data or where you have objected to processing.
8.6 Right to data portability. Where we process your data on the basis of consent or contract, and that processing is carried out by automated means (including data stored in or generated by the Service Tools), you have the right to receive your personal data in a structured, commonly used and machine-readable format so that you may transfer it to another provider.
8.7 Right to object. You have the right to object to processing carried out on the basis of our legitimate interests. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is necessary for the establishment, exercise or defence of legal claims.
8.8 Right to withdraw consent. Where we process your data on the basis of your consent, you may withdraw that consent at any time by contacting us in writing. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Please be aware that withdrawing certain consents may affect our ability to deliver some or all of the Services; we will always notify you if this is the case. Where withdrawal of consent would prevent FOUND Health from delivering all or part of the Services, we will notify you of this before processing your withdrawal request, and will explain which aspects of the Services are affected. In certain limited circumstances, FOUND Health may be entitled to continue processing health data on an alternative lawful basis even following withdrawal of consent, such as where the processing is necessary to comply with a legal obligation or to protect vital interests and will do so only on one of the lawful bases set out in Section 4 of this policy. We will always explain the basis for any continued processing if this situation arises.
8.9 Right not to be subject to automated decision-making. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. FOUND Health does not use automated decision-making in this way.
8.10 Right to Complain. You also have the right to lodge a complaint with the ICO at any time. See Section 10 for contact details.
9. INTERNATIONAL DATA TRANSFERS
9.1 In delivering our services, FOUND Health uses third-party software providers and service tools. Some of these providers may process your personal data outside the United Kingdom or the European Economic Area (EEA) as part of their ordinary operations.
9.2 Where any transfer of your personal data outside the UK or EEA occurs, whether directly by FOUND Health or by a third-party provider acting on our behalf, we ensure that appropriate safeguards are in place before a transfer takes place, such as the UK International Data Transfer Agreement (IDTA) or equivalent adequacy mechanisms. Details of the safeguards applied to any such transfer are available on request at the data protection address in Clause 1.2.
9.3 We take reasonable steps to select providers whose data residency and transfer practices are consistent with UK data protection law, and we review our providers' positions periodically.
9.4 Where Service Tool providers are based outside the UK, we assess their security posture, data protection standards, and transfer mechanisms prior to engagement, and conduct periodic reviews.
10. HOW TO CONTACT US AND HOW TO COMPLAIN
10.1 If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have a concern about how we handle your personal data, please contact us at:
Email: hello@foundhealth.co.uk
Post: Flat 1 74A Lower Richmond Road, London, England, SW151LL
10.2 We will acknowledge your query or request promptly and aim to resolve all data protection matters within one month. If your matter is complex, we will notify you of any extension to this period.
10.3 Right to complain to the ICO. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters. The ICO can be contacted at:
Website: www.ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
10.4 We would, however, welcome the opportunity to address your concerns before you approach the ICO, and ask that you contact us in the first instance.